This isn’t the first time I’ve looked at PINs, and on occasion I have done so in the specific context of iOS devices: in fact, I spent some time on researching PIN and password selection strategies after encountering some analysis by Daniel Amity on an anonymized sample set of 204,508 PINs used by iGadget owners to access his Big Brother application, after he kindly made his data available to me. As I said at the time:
While we cannot assume that a choice of passcode for Big Brother would reflect either screenlocking passcode selection or PIN selection practice, it seems reasonable to assume that, given the size of the sample, there is likely to be some correlation
At the time, iGadgets offered a choice of passcode modes for screenlocking: off, simple four-digit passcode, or a more complex passcode. (It’s a little more complicated with recent versions of iOS.) And while I certainly wasn’t discouraging anyone from using a complex passcode, I was initially concerned to dissuade anyone from using the most used PINs – for instance, the ones that fall most easily under the fingers like a single repeated character (ergonomic strategy), or that are most easily memorized, as when numbers are paired with letters. (For instance, 5683 could easily correspond to L-O-V-E.) After all, Amitay’s research indicated that 15% of all iPhone owners were using one of the ten most common passcodes. (5683 was one of that top ten.)
In some ways, the combination of a good passcode or password and a limit on the number of retries is hard to beat (in the absence of alternative approaches such as offline brute-force or guessing attacks). ATMs have a habit of swallowing smartcards after the third failed PIN entry. Similarly, smartphones tend to have an option to erase data and/or render the phone inaccessible after a set number of unsuccessful passcode entry attempts. In iOS, there is an option to erase after ten attempts. (Otherwise, the device is just temporarily disabled.) So it would seem that avoiding a fairly small subset of common PINs should keep you fairly safe where this combination of defences applies.
But what if that restriction can be bypassed? MDSec reports that for £200 the company was able to acquire a device called an IP Box that is used to automate brute-forcing the iOS screenlock passcode. Algorithmically speaking, that’s trivial for a 4-digit PIN: all you have to do is cycle through all the permutations from 0000 to 9999: if you could do it offline, you could do it almost instantly with a small program. But what about that ten-strikes-and-out limitation?
According MDSec the IP Box bypasses it:
“by connecting directly to the iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory. As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to ~111 hours to bruteforce a 4 digit PIN.”
Not something you’re likely to do to someone’s phone while he nips to the restroom, but certainly not a major obstacle if you have a stolen phone and a few days to spare.
In the real world, there are a number of steps you might be able to take to deal with stolen data and connectivity on a stolen or lost smartphone, including remote wiping, once you’ve noticed that it’s gone. But as Graham Cluley has already pointed out, it’s well worth the additional security to:
“Change your iPhone password from a simple 4 digit numeric code to a longer, more advanced version, which can include letters and symbols as well as numbers.”
Of course, the same applies to other devices.
Small Blue-Green World